Meltdown/Spectre

As you have likely heard, Google researchers working for Google’s Project Zero group, along with other research groups and academic institutions, have published information on two new security exploits called Meltdown and Spectre that will have far-reaching consequences for most computing devices, whether on-premise or in the cloud.  In short, a hardware vulnerability has been identified in Intel, AMD, ARM and POWER processors which could allow an attacker to bypass all security measures in an operating system (Windows®, IOS or Linux) and access protected data such as passwords, encryption keys and more.

With vulnerabilities come risks. Understanding the Meltdown and Spectre exploits and the risks associated with them will help you develop the right mitigation options for your company to help lessen their risk and exposure.  Before diving into what Meltdown and Spectre do, it is important for you to understand some fundamentals of how modern processors work.

Most modern microarchitectures rely on a feature called speculative execution, which allows the CPU to predict what code it might need to run for a given process, and run it in advance so the results are ready before they are needed. This can significantly improve the overall performance and efficiency of a CPU.  In addition, processors rely on a critical feature called memory isolation to ensure that privileged processes owned by the operating system Kernel run in a different memory space from processes that run user applications.  This prevents applications from accessing the information from other applications or the operations system.

With those concepts in mind, let’s take a look at Meltdown first. With Meltdown, it is possible for malicious code to abuse Intel and ARM’s speculative execution implementations to get the processor to leak information from other processes – particularly the all-knowing operating system kernel. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, containers or other virtual machines.  Given that this is a hardware-based issue, devices are susceptible to this exploit regardless of whether they are running Microsoft Windows®, Mac, iOS, Android or Linux.  Vendors of these operating systems are releasing patches over the coming weeks to partially mitigate the threat from Meltdown, but true mitigation will also likely require processor microcode updates and possibly a replacement processor.  There is more testing to be done by the vendors so it’s best to stay tuned and keep up with the patches.

Spectre differs from Meltdown in a few key ways.  First, while Meltdown primarily affects Intel processors and a few ARM based processors, the Spectre exploit can affect all Intel processors based on Ivy Bridge, Haswell and Skylake, AMD Ryzen CPUs, and several Samsung and Qualcomm processors which use ARM.  Second, researchers have shown that a Spectre attack can be launched from Javascript downloaded in a web page and compromise the memory space of a browser.  Yikes!  Spectre attacks involve inducing a victim machine to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the attacker.  The challenge with Spectre is that this exploit is fundamentally more difficult to mitigate with software patches given it is inherently a hardware flaw. The operating system vendors, such as Microsoft, Apple and Linux, will release patches that partially prevent this exploit, but much is still unknown about the extent of this hardware flaw so at a minimum, the processors will have to be updated with new microcode and likely the processors will have to be replaced in certain circumstances.  Time will tell how much damage this exploit will allow.

Now that you understand what these security exploits are at a high level, let’s take a look at some critical things to know moving forward.

• Meltdown and Spectre are read-only attacks or disclosure attacks. In other words, these exploits do not directly force code execution in the OS kernel, in other virtual machines or other programs. However, one could possibly use information gathered from these attacks to feed it into a code execution attack.  The primary risk is in stealing information versus controlling a system.
• These are local attacks. Someone would have to first compromise the affected system at the operating system or application level to leverage the exploit to gain system level access.  Luckily, most of us are already in the habit of trying to keep the ‘bad guys’ out of our systems.
• The principal threat is to shared hosting environments where multiple users are capable to run code on a single system. AWS and Azure have already deployed mitigation strategies for their cloud environments (as much as can be done at this time), but individual systems have an inherent lower risk because to execute the malicious code, the attacker has already compromised the single system and then you have “bigger fish to fry” anyway.
• Mitigating Meltdown will have a variable performance impact. In a nutshell, the mitigation efforts for Meltdown involve better separating user space programs from the OS kernel. As a result, context switches between the user space and the kernel will get more expensive in terms of processor time. However the actual performance impact of this process is going to vary with the workload and the CPU architecture, but could be as much as 30%.
• The Security ramifications of Spectre and the mitigation approach is still unclear. Spectre represents a new type of attack and is not fully understood so we don’t know what we don’t know about how to fully mitigate it just yet.  Stay tuned to the affected vendor websites for updates.

Vendor Responses – Updated 1/15/18

• Cisco
  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
• Citrix
  • https://support.citrix.com/article/CTX231399
• Dell
  • http://www.dell.com/support/contents/us/en/04/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre
  • Dell Client
  • Dell Enterprise (Dell Servers, Storage and Networking)
  • RSA (customer login required)
  • Dell EMC Storage & Data Protection (customer login required)
  • Dell EMC CPSD (customer login required)
• Microsoft
  • https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
• Netapp
  • https://security.netapp.com/advisory/ntap-20180104-0001/
• Pure Storage
  • https://support.purestorage.com/Field_Bulletins/The_Meltdown_and_Spectre_CPU_Vulnerabilities
• Redhat
  • Detection Tool, has links for fixes and performance impact
    • https://access.redhat.com/labsinfo/speculativeexecution
• Supermicro
  • https://www.supermicro.com/support/security_Intel-SA-00088.cfm
• Veritas
  • https://www.veritas.com/support/en_US/article.100041496
• VMware
  • https://kb.vmware.com/s/article/52245